1. Field of the Invention
The present invention relates generally to network security, and more particularly, to systems and methods for increasing the security of network guard systems.
2. Discussion of the Related Art
Firewalls are an essential ingredient in a corporate entity""s network security plan. Firewalls represent a security enforcement point that separates a trusted network from an untrusted network. FIG. 1 illustrates a generic example of a network security plan that incorporates a firewall system. In this generic example, firewall system 120 is operative to screen all connections between private network 110 and untrusted system 140. These connections are facilitated by Internet network 130. In the screening process, firewall system 120 determines which traffic should be allowed and which traffic should be disallowed based on a predetermined security policy.
One type of firewall system is an application-level gateway or proxy server, which acts as a relay of application-level traffic. Proxy servers tend to be more secure than packet filters. Rather than trying to deal with the numerous possible combinations that are to be allowed and forbidden at the transmission control protocol (TCP) and Internet protocol (IP) level, the proxy server need only scrutinize a few allowable applications (e.g., Telnet, file transfer protocol (FTP), simple mail transfer protocol (SMTP), hypertext transfer protocol (HTTP)). Generally, if the proxy server does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall. Further, the proxy server can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features.
Traditional proxies typically allow unlimited communication from the inside network to the outside network, and limited communication from the outside network to the inside network. Any flaw in the proxy (including subversion) can cause the proxy to provide direct communication from the outside network to the inside network.
This traditional proxy is not suitable for highly classified or proprietary networks (e.g., military/defense organization, law firm, financial institution, etc.). These types of organizations often require access to public xe2x80x9copen sourcexe2x80x9d news and weather information (e.g., CNN). Additionally, these types of organizations need to allow limited subsets of users on the outside to access resources inside the classified or proprietary networks, especially in coalition environments.
Connecting such networks together historically required a guard, a special purpose device designed to prevent information flowing from the inside network (the more highly classified side) to the outside network (the less highly classified side). Guards differ from firewalls in their primary intent. A firewall is mostly concerned with keeping unauthorized users out, while a guard has the additional goal of preventing information on the inside from being sent to the outside.
Conventional guards suffer from several key problems. First, some guards were either built on special purpose operating systems to maximize their resistance to attack (which made them both expensive to obtain and manage), or they were built on weak commercial off-the-shelf (COTS) operating systems (which made them vulnerable to attack). An example of a COTS operating system guard is the ISEE guard, which is built on the Solaris operating system. The ISSE guard is described in xe2x80x9cImagery Support Server Environment (ISSE) Guard System Description,xe2x80x9d http://www.itd.sterling.com/rome/projects/products/isse/ISSE_SD.html. An example of a special purpose operating system guard is the C2 Guard described in Thomas Fiorino et al., xe2x80x9cLessons Learned During the Life Cycle of an MLS Guard Deployed at Multiple Sitesxe2x80x9d, Proceedings of the Eleventh Annual Computer Security Applications Conference, New Orleans, La., December 1995.
The C2 Guard consists of three computers: a Sun Solaris system that queues files from the inside and passes them over a serial line to a Wang XTS-3.00; the XTS-300 that runs the content-based filters; and a second Sun Solaris system that accepts the files over a serial line from the XTS-300 and transfers them to the outside. (The process is equivalent for files being transferred from the outside to the inside.) The queuing and dequeuing computers are required to be dedicated to that purpose; they accept (and send) files using NFS and FTP. In environments where protocols such as the Internet Inter-ORB protocol (IIOP) are required, another pair of computers (shown as the protocol/file translators) is required to translate from the native protocol to file format and back.
The special purpose nature of the C2 Guard is indicative of a second problem with conventional guards. In particular, guards that are built for particular applications are generally hard to extend to other uses. For example, a Defense Information Systems Agency sponsored study (xe2x80x9cSecurity Guard Studyxe2x80x9d, Defense Information Systems Agency, August 1995) found that of the approximately 50 different guards that were built by the US Department of Defense, none of these guards had the capability to deal with modern middleware protocols such as IIOP used by the Common Object Request Broker Architecture (CORBA).
A third limitation of conventional guards is that they require a human to xe2x80x9ccertifyxe2x80x9d each piece of data (e.g., E-mail message) to be released from the inside to the outside. This functionality is difficult to be done accurately. In general, the certification occurs inside the enclave, using trusted software that puts a digital signature on the data to be released. The signature is then verified by the guard before release. This technique relies on the correct operation of the user""s approval software (i.e., the correct functioning of the user""s workstation). For example, Secure Computing""s Standard Mail Guard (SMG), described in R. Smith, xe2x80x9cConstructing a High Assurance Mail Guard,xe2x80x9d Proceedings of the 17th National Computer security Conference, Baltimore, Md., October 1994, requires that the user invoke a Fortezza card to perform signing of each message to be released, without any assurance that the Fortezza card is signing what the user intended. The SMG can verify that the signature was applied correctly, but cannot determine whether the signed data is in fact appropriate for release, or even if it is what the user intended to release. Even aside from assurance issues, this scheme is inappropriate for connections involving lower-level protocols (e.g., IIOP), since users cannot realistically approve each object invocation.
As special purpose devices, guards lack integration with other security devices, such as intrusion detection systems. They require a separate set of management capabilities, and cannot be managed along with the rest of the network. What is needed therefore is a next generation guard that can be readily integrated within a modem network security framework.
The present invention meets the aforementioned needs by generating a flexible data guard using existing network security products. It is a feature of the present invention that the flexible data guard is based on a multi-part proxy. The multi-part proxy includes a first proxy agent that communicates with an inside computer network region, a second proxy agent that communicates with an outside computer network region, and a content-based filter application that reviews information that is passed between the first proxy agent and the second proxy agent. Both the first and second proxy agents can be based on existing firewall proxies. The proxy agents listen for protocol operations (e.g., IIOP requests or replies) and translate those protocol operations into protocol-independent data. The protocol independent data is then analyzed by a protocol-independent content-based filter.
It is a further feature of the present invention that the behavior of the multi-part proxy can be further constrained for use in a data guard environment. These constraints on the multi-part proxy are effected through the use of software wrapper technology. The software wrappers provide for relatively small specifications of the allowed behavior of the associated multi-part proxy components. Security of the firewall components are thereby improved.